Multifactor Authentication FAQ
What is multifactor authentication and why is it necessary?
Multifactor authentication, commonly referred to as MFA, is a method for securing an account with multiples means of verifying your identity. Multifactor authentication will use what you know, such a password, and what you have, such as the Microsoft Authenticator app, as two different forms of authentication. Having multiple requirements to verify identity when logging into services is the best form of protection against phishing attacks that have become much more common in the last few years. Multifactor authentication can protect access to your account, personal information, and university data in the event that your password is obtained by a malicious actor.
General Multifactor Authentication Questions
MFA is now required. Implementation began in January 2023 and required all students, faculty, and staff to register at least one MFA method. Now, newly admitted students will need to register an MFA method during the first quarter they are registered for classes, but we encourage them to opt-in to MFA before that so they can control when it will be enforced on their accounts.
Most users will not be prompted for MFA when on-campus. This is because we are using your location (physical presence on campus) as a second means of authentication. Some applications on campus that provide access to sensitive information will still require use of your authenticator. Similarly, some users who have access to highly sensitive information will require MFA when on-campus or off-campus.
Many online services accessed through your web browser from off campus that use your universal account for sign in will require the use of MFA. This includes Office 365, Zoom, Canvas, the Parking application, Contract Management, and others. Additionally, services and programs that house or facilitate access to sensitive information will require MFA such as connecting to campus remotely using the VPN.
If you do not have access to any of your authentication methods and you need access urgently a temporary access pass can be issued. A temporary access pass isn't intended to be used as a main method of authentication but is instead an option for accessing your account in an emergency when you are unable to access your previously configured methods. You may receive a pass by contacting the Help Desk. We will work with you on its usage, its limitations and assisting you with establishing a long-term authentication solution upon granting a temporary access pass.
Typically, no. MFA is required when you sign into a new device, application, or service. You can expect to be prompted for MFA at least every 90 days or sooner.
There are some use cases that may require more frequent authentication with MFA. Signing in on an incognito tab on a web browser will require MFA as it is seen as a new device. Similarly, signing in after clearing your browser cache may require MFA. Some applications with access to sensitive information may require MFA once every few hours. There are also cases where suspicious login activity or location may require you to sign into your account with MFA again. When changing your password, including when it expires, you will always be prompted for MFA.
The Microsoft Authenticator app for smart devices is recommended as your primary second factor of authentication. It is the most convenient, robust, and reliable method of authentication. For instructions on how to setup the app please review the Microsoft Authenticator knowledgebase article.
Other options include receiving a text message or phone call. This is less secure and may be subject to availability issues dependent on your mobile service.
Lastly, there is the option for a security key (FIDO2 key). A security key is a piece of hardware, typically a USB device, that plugs into your computer that is used as a means to verify your physical presence during login. Each key is unique and must be paired with your account before use. You may see reference to the key as a FIDO2 key, named for the security platform it interacts with.
There are some limitations on factors that cannot be used. You will be unable to use your office phone number as the phone system uses Microsoft Teams, which is protected by MFA. You also will be unable to use the alternative email address associated with your account. While this email address can be used for password reset requests, it is unable to be used for MFA.
For more details on alternative options please review our Alternative Authentication Methods knowledgebase article.
Yes. Having multiple forms configured is advantageous as you can use one form as a backup if your primary form fails. You will only be required to provide one of your available methods when prompted for MFA and can choose which method when prompted.
Yes. If you have installed the Microsoft Authenticator app on your mobile device, you can open the app, tap on your account, and view a one-time password code. You can use this code just like a code sent to you with a SMS text message. When authenticating, you may have to choose the option to “Sign in another way” after entering your password and being prompted for MFA. This code is generated using the time of your device so it will work as long as your device's time is accurate within 30 seconds.
If your only configured method is by receiving a text message or phone call you will need to reach out to the Help Desk for a temporary access pass.
Hardware security keys do not need access to the internet to function.
If you have configured a backup authentication method, you may choose to sign in another way during MFA. If you do not have an alternate method configured will have to contact the ATUS Help Desk for support.
If you plan to travel, you will want to configure the Microsoft Authenticator app on a smart device. The authenticator app contains functionality for displaying a rotating code that does not require cellular or internet connectivity to function. You may also want to consider configuring a security key (FIDO2 key) as a backup when traveling abroad. For more details on alternative options please review our Alternative Authentication Methods knowledgebase article.
Any smart device running Android or iOS can be configured to use the rotating one-time passcode (OTP) option from within the Microsoft Authenticator. This passcode does not require a cellular or internet connection to work and does not transmit or receive data. An old tablet or phone no longer in service can be used for the authenticator app.
If you do not have any smart devices, you may configure a security key (FIDO2 key) which will plug into a computer as a means of identification. More details on how to obtain a security key will be published prior to the requirement for MFA being set. For more details on alternative options please review our Alternative Authentication Methods knowledgebase article.
No. All authentication records are stored in the Microsoft Azure cloud, and any information on your personal devices would be redundant. Also, if you use the Authenticator App, there will be no record stored on your device.
Technical support for MFA is available from the Help Desk during their business hours or from your technical support staff.
Common Problems
This problem may be due to a browser setting. Check to see if your browser is set to clear cookies every time it is closed. This will cause this behavior. Using incognito browsing will also prompt for MFA each time you login.
The quick fix is to install and configure the Microsoft Authenticator App.
Verify that you can receive text messages to your phone by having a friend or co-worker text you. If you did not receive their texts, there is a problem with your phone or cell service. If not, you may still have a problem if you have configured your phone to block texts from unknown numbers. Using SMS (text messages) for MFA can result in intermittent yet persistent and difficult to diagnose problems. If you continue to have trouble authenticating, please contact the ATUS Help Desk.
You must have internet service for the push notification to work. Having your phone on Do not Disturb, or Focused mode may also prevent the notification from being displayed. Occasionally you may need to manually open the Microsoft Authenticator app first for the popup to appear.
If you still are not receiving the push notification, you may choose to sign in another way from the authentication prompt. You can then choose to use a verification code. To retrieve the code, open the Microsoft Authenticator app and tap on your account. You will see a six-digit code that rotates every 30 seconds that will be used to verify your identity.
If you continue to have trouble authenticating, please contact the ATUS Help Desk.
If you have configured more than one authentication method, you can sign in another way from the authentication dialog box. If you do not have a backup method set, please reach out to the ATUS Help Desk for assistance in getting a temporary access pass issued.
You need to add a valid authentication method like the Microsoft Authenticator app to your Microsoft My Account portal. Note: although an email address works as a second factor for self-service password changes, it does not qualify as a valid second factor for MFA.